Microsoft, IBM report fewer critical vulnerabilities, exploits

Number of severe security flaws in Microsoft software hit lowest level since 2005; fewer exploits were released overall

In 2011 the number of critical vulnerabilities in Microsoft software fell to its lowest level in six years. In addition, data from IBM shows fewer vulnerabilities overall are being exploited by security researchers and attackers.

Those two points suggest that the vulnerability landscape is changing, with attackers increasingly stymied by the security features now commonplace in operating systems and less likely to spend the effort needed to exploit flaws.

The number of vulnerabilities that have been publicly exploited by attackers has dropped to 10.8 percent in 2011 from about 15 percent in the previous year, according to Tom Cross, manager of IBM's X-Force Advanced Research team.

"These things maybe the consequence of their being fewer valuable vulnerabilities that are getting disclosed and also exploitation is getting harder because operating systems have a lot of these feature ... that make exploitation more challenging," Cross says.

Up-to-date data from IBM will be included in its 2011 security report that will be released early next year. Exploitation has fallen in a several key categories, including browsers, document readers, and media players, Cross says.

Microsoft released its own data on a drop in the number of critical bulletins released by the company in 2011. Microsoft issued its last planned software update for the year on Tuesday, and noted that only 30 out of a total of 99 bulletins were rated critical. In absolute numbers, critical vulnerabilities were at their lowest level since 2005. As a relative percentage, this year has beaten every year since the company started tracking the data in 2004.

Ever since Microsoft kicked off its Trustworthy Computing Initiative in January 2002, the company has focused on eliminating vulnerabilities in its software, improving its development process, and making its operating systems and applications harder to exploit. The latest data suggests the company has had some success.

"The fact that we're seeing lower percentages of critical issues and bulletins year-over-year demonstrates the progress made by the product groups in creating more secure software," Mike Reavey, senior director of the Microsoft Security Response Center, said in a blog post about the data.

While attackers continue to focus on vulnerabilities in Adobe Acrobat, Oracle's Java, and Microsoft's Office, security researchers have put increasing effort into auditing less mainstream software such as industrial control systems, automotive systems, and mobile devices.

Overall, the trend should be considered a win, says IBM's Cross.

"We are not there yet by any means, but I think you can look at some of our data and see that we have made progress in making these operating systems safer," he says.

This story, "Microsoft, IBM report fewer critical vulnerabilities, exploits," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.